On 3/10/19 8:25 AM, Alexandre Derumier wrote: > This add support for arp filtering in ebtables. > We can't use ipset, so ip need to be tested 1 by 1 in a separate chain. > > layer2_protocols test need to be done also in a separate chain, > to be able to have the final accept in tap chain. > >
applied series, thanks! > > > 997.conf > -------- > net0: virtio=12:ED:5E:CE:7D:91,bridge=vmbr0,firewall=1,tag=100 > > 997.fw > ------ > [OPTIONS] > enable: 1 > layer2_protocols: ARP,IPX > > [IPSET ipfilter-net0] > > 192.168.2.10 > 192.168.2.11 > 192.168.1.0/24 > FE80::0202:B3FF:FE1E:8329 #will be exclude, as we don't have arp in ipv6 > > > ebtables generate rules: > ------------------------ > > -A tap997i0-OUT -s ! 12:ed:5e:ce:7d:91 -j DROP > -A tap997i0-OUT -p ARP -j tap997i0-OUT-ARP > -A tap997i0-OUT -j tap997i0-OUT-PROTO > -A tap997i0-OUT -j ACCEPT > > -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.10 -j RETURN > -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.11 -j RETURN > -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.1.0/24 -j RETURN > -A tap997i0-OUT-ARP -j DROP > > -A tap997i0-OUT-PROTO -p ARP -j RETURN > -A tap997i0-OUT-PROTO -p IPX -j RETURN > -A tap997i0-OUT-PROTO -j DROP > > > Changelog v2: > > - code cleanup > - add support for filter-net ipset for lxc > - lxc: only filter main ip address if ipfilter option is enable > - split the layer2_protocols change in separate commit > > > > Alexandre Derumier (2): > ebtables: add arp filtering > ebtables: test layer2_protocols in an external chain > > src/PVE/Firewall.pm | 50 +++++++++++++++++++++++++++++++++++++++++--------- > 1 file changed, 41 insertions(+), 9 deletions(-) > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
